forged by another entity, has not been altered, and cannot be repudiated by the
sender.

Encryption
The process of disguising the contents of a message and rendering it unreadable
(ciphertext) to anyone but the intended recipient.

Integrity
The guarantee that the contents of the message received were not altered from the
contents of the original message sent.

Non-repudiation
Undeniable proof of the origin, delivery, submission, or transmission of a message.

Public-Key Encryption
The process by which the sender of a message encrypts the message with the public
key of the recipient. Upon delivery, the message is decrypted with the recipientÔÇ™s
private key.

Public/Private Key Pair
Each private key has an associated public key that anyone can access. Data
encrypted with a public key can be decrypted with its associated private key and
vice versa. However, data encrypted with a public key cannot be decrypted with a
public key.

X.509
The ISO authentication framework uses public key cryptography (X.509 protocols).
X.509 has a structure for public key certi´¬ücates. This framework allows for authenti-
cation across networks to occur.

Concepts 3-3
Oracle Cryptographic Toolkit Concepts

3.2 Oracle Cryptographic Toolkit Concepts
Following is a list of Oracle Cryptographic Toolkit concepts. Refer to Section 1.3,
ÔÇťOracle Cryptographic Toolkit Functional LayersÔÇŁ for information on how these
concepts are implemented.

Cryptographic Engine
A cryptographic engine (CE) is an implementation of cryptographic functions. The
CE can be software based, such as RSAÔÇ™s BSAFE, or it can be hardware based, such
as a FORTEZZA card.

Detached Signature
A detached signature gives you the ability to manipulate the message indepen-
dently of the signature for that message. Use a detached signature to sign an object
that can be used with or without signature veri´¬ücation (for example, applets and
database rows).

Entity
An entity is a person (physical or imaginary) or a process.

Enveloping
Enveloping is the process of digitally signing a message for authentication and
encrypting the message with the recipientÔÇ™s public key for privacy. It provides both
sender veri´¬ücation and message privacy.

Identity
An identity is composed of the public key and any other public information for an
entity. The public information may include user identi´¬ücation data: an e-mail
address, for example.

Persona
A persona is the combination of an identity (public information) and its associated
private information. A personaÔÇ™s type is inherited from that personaÔÇ™s identity. A
persona is always protected by a password associated with the wallet.

Personal Resource Locator
The personal resource locator (PRL) acts as a reference to a group composed of a
persona, its self-identity, and its trusted identities. It is a string in the format:
type:parameters

where type is one of the de´¬üned persona types and parameters is 0 or more param-
eters necessary to access the persona. The platform speci´¬üc PRL can be speci´¬üed
with:
default:

to indicate that the persona is contained inside the wallet and can provide an addi-
tional protection key that is speci´¬üc for this persona.

Note: The value of the platform speci´¬üc PRL above is default, because
only the default wallet is supported in this release of the Oracle Crypto-
graphic Toolkit.

Protection Set
A protection set is a list of tuples (elements) in the form ((cryptographic-function-1,
format, algorithm(s), parameter(s)) (cryptographic-function-2, format, algorithm(s),
parameter(s)), ...). It represents the current set of algorithms and message formats
to be used with the cryptographic functions.

Recipient Oriented Encryption
Recipient Oriented Encryption is the process of encrypting a message with a ran-
domly generated symmetric key and then encrypting the encrypted message with
the public key of the recipient.

Signature
See ÔÇťDigital SignatureÔÇŁ.

Symmetric Encryption
Symmetric Encryption is an encryption method where both of the communicating
parties agree on a secret key (or algorithm) that can be used to both encrypt and
decrypt a message.

Toolkit Data Unit
A toolkit data unit (TDU) is an encoding of possibly formatted and/or cryptograph-
ically altered data that is created by an application using the Oracle Cryptographic
Toolkit. The TDU is usually transferred to another application that, in turn, uses the
Oracle Cryptographic Toolkit to decrypt the TDU back into data. The TDU is the

Concepts 3-5
Oracle Cryptographic Toolkit Concepts

message granularity of the Oracle Cryptographic Toolkit, and it is transport inde-
pendent.

Trust Point
A trust point is a third party identity contained within a persona that is quali´¬üed
with a level of trust. The trust point is used when an identity is being validated as
the entity it claims to be.

Wallet
A wallet implements the storage and retrieval of credentials for use with various
cryptographic services. It represents a storage facility that is location and type trans-
parent once it is opened. A Wallet Resource Locator provides all the necessary infor-
mation to locate the wallet.
A Wallet Resource Locator (WRL) is a string in the format:
type:parameters

where type is one of the de´¬üned wallet types and parameters is 0, or more, parame-
ters necessary to access the wallet. The platform speci´¬üc WRL can be speci´¬üed with:
default:

to quickly access the default wallet.

Note: The value of the platform speci´¬üc WRL above is default, because
only the default wallet is supported in this release of the Oracle Crypto-
graphic Toolkit.

4.1 Basic Oracle Cryptographic Toolkit Program Flow
The following section describes the typical program ´¬‚ow for those who want to use
the Oracle Cryptographic Toolkit and provides program code examples for calling
the available functions. Refer to Figure 4ÔÇ“1, ÔÇťOracle Cryptographic Toolkit Program
FlowÔÇŁ, below, for an illustration of how a typical program ´¬‚ows using the Oracle
Cryptographic Toolkit.

Figure 4ÔÇ“1 Oracle Cryptographic Toolkit Program Flow

4.2 A Programming Example
This section ´¬ürst lists the programming steps to follow when you use the Oracle
Cryptographic Toolkit. The balance of this chapter provides the following sample
code for your use:
ÔÇťAn Example: Generating a detached signature for an array of bytesÔÇŁ

4.2.1 Using the Oracle Cryptographic Toolkit
Follow steps 1 - 5 to access the Oracle Security Server.
Once the OCI process has been initialized with OCIInitialize and the environ-
1.
ment has been initialized with OCIEnvInit (refer to the ProgrammerÔÇ™s Guide to
the Oracle Call Interface), the security handle can be created with OCIHandleAl-
loc and initialized with OCISecurityInitialize. The security handle is used with
subsequent calls to the Oracle Cryptographic Toolkit.
...
OCIError *error_handle = (OCIError *) NULL;
OCISecurity *security_handle = (OCISecurity *) NULL;
...

/*
* The OCI process and environment have already been initialized.
*/

Typically, an application will ´¬ürst need to open a wallet in order to get its per-
2.
sona and gain access to the list of trusted identities. The wallet location is speci-
´¬üed through a Wallet Resource Locator (WRL), and if the contents have been
protected with a password, the correct password must be provided as well.
...
nzttWallet wallet;
...

During termination, the application should call OCIHandleFree to deallocate
5.
the security handle once the wallet has been closed and the security subsystem
has been terminated.
OCISecurityCloseWallet(security_handle, error_handle, &wallet);
OCISecurityTerminate(security_handle, error_handle);
OCIHandleFree((dvoid *) security_handle, OCI_HTYPE_SECURITY);

4.2.2 An Example: Generating a detached signature for an array of bytes
The following code sample shows you how to generate a detached signature for an
array of bytes. For brevity, errors are checked but are not displayed. Refer to Part
III, ÔÇťAppendicesÔÇŁ, for a complete code example.
#include <oratypes.h>

/*
* Clear out the wallet and signature structures so that if an
* error occurs before they are used, they are not mistaken for
* holding allocated memory.
*/
memset(&wallet, 0, sizeof(wallet));
memset(&signature, 0, sizeof(signature));
/*
* Initialize the OCI process.
*/